b"Department of Health and Human Services \n\n                   OFFICE OF \n\n              INSPECTOR GENERAL \n\n\n\n\n\n  PENETRATION TEST OF THE FOOD \n\n   AND DRUG ADMINISTRATION'S \n\n       COMPUTER NETWORK \n\n\n\n\n\n   Inquiries about this report may be addressed to the Office ofPublic Affairs\n                          at Public.A(fairs@oig. hhs.gov.\n\n\n\n\n                                        Thomas M. Salmon \n\n                                     Assistant Inspector General \n\n                                         for Audit Services \n\n\n                                            October 2014 \n\n                                            A-18\xc2\xb713\xc2\xb730331 \n\n\x0c                    Office ofInspector General\n                                      http:// oig.hhs.gov\n\n\n\nThe mission of the Office oflnspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits , investigations, and\ninspections conducted by the following operating components:\n\nOffice ofAudit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance ofHHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments ofHHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice ofEvaluation and Inspections\n\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress , and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice ofInvestigations\n\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts ofOI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice ofCounsel to the Inspector General\n\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG's internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases , OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts , and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c The Food and Drug Administration needed to address cyber vulnerabilities on its\n computer network that could potentially have led to a data breach.\n\n                                          INTRODUCTION\n\nThis report provides an overview of the results of our penetration test of the Food and Drug\nAdministration\xe2\x80\x99s (FDA) computer network. It does not include specific details of the\nvulnerabilities that we identified because of the sensitive nature of the information. We provided\nmore detailed information and recommendations to FDA so that it could address the issues we\nidentified.\n\nWHY WE DID THIS REVIEW\n\nComputer hackers are increasingly compromising Government systems, publishing sensitive\ndata, and using stolen data to commit fraud. Threats to Federal agency Web applications are\ncontinually changing because of advances made by hackers, the release of new technology, and\nthe deployment of increasingly complex systems. Web sites that are not properly secured are\nvulnerable to unauthorized users who could compromise the confidentiality of sensitive\ninformation or negatively affect the operations of Federal agencies.\n\nThe objective of this review was to determine whether the FDA\xe2\x80\x99s network and external Web\napplications were vulnerable to compromise through cyber attacks.\n\nBACKGROUND\n\nPenetration tests identify methods of gaining access to a system by using tools and techniques\nthat attackers use. The objective of penetration testing is to uncover potential vulnerabilities in\ninformation technology (IT) products and information systems resulting from implementation\nerrors, configuration faults, or other operational deployment weaknesses or deficiencies. This\naudit is one of a series of Office of Inspector General (OIG) audits using penetration testing on\nnetworks run by the U.S. Department of Health and Human Services (HHS) and its operating\ndivisions.\n\nFDA is responsible for protecting public health by assuring the safety, efficacy, and security of\nhuman and veterinary drugs, biological products, medical devices, our nation\xe2\x80\x99s food supply,\ncosmetics, and products that emit radiation. FDA is also responsible for advancing the public\nhealth by helping to speed innovations that make medicines more effective, safe, and affordable\nand for regulating the manufacturing, marketing, and distribution of tobacco products to protect\npublic health and reduce tobacco use by minors.\n\nFDA\xe2\x80\x99s Office of Information Management manages the IT infrastructure and ensures that FDA\nhas a robust IT foundation that enables interoperability across FDA offices and allows\ndevelopment of enterprisewide systems that are necessary to meet FDA\xe2\x80\x99s mission efficiently and\neffectively. FDA\xe2\x80\x99s IT budget for fiscal year 2014 was $486 million, which was approximately\n11 percent of the total FDA budget of $4.4 billion in fiscal year 2014, a significant investment.\n\n\n\nPenetration Test of the FDA\xe2\x80\x99s Computer Network (A-18-13-30331)                                        1\n\x0cOn October 15, 2013 (before our fieldwork), a wide-scale cyber security breach involving an\nFDA system occurred that exposed sensitive information in 14,000 user accounts.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe assessed the FDA network\xe2\x80\x99s exposure to cyber attacks by performing a penetration test of its\nnetwork and information systems. We conducted the penetration test from October 21, 2013,\nthrough November 10, 2013, with the knowledge and permission of FDA officials. We\nrequested that FDA\xe2\x80\x99s incident response staff not be notified of our testing to assess the\neffectiveness of FDA\xe2\x80\x99s intrusion detection and response controls. The Appendix contains the\ndetails of our audit scope and methodology.\n\n                                                  FINDINGS\n\nOverall, FDA needed to address cyber vulnerabilities on its computer network. Although we did\nnot obtain unauthorized access to the FDA network, we identified the following issues: Web\npage input validation was inadequate, external systems did not enforce account lockout\nprocedures, security assessments were not performed on all external servers, error messages\nrevealed sensitive system information, and demonstration programs revealed sensitive\ninformation. These could have led to: (1) the unauthorized disclosure or modification of FDA\ndata or (2) FDA mission-critical systems being made unavailable.\n\nINADEQUATE WEB PAGE INPUT VALIDATION\n\nFederal information systems should check the validity of information inputs to ensure that they\nare acceptable in terms of format and content. 1 Input validation helps to ensure the accuracy of\nuser-supplied data and to prevent input attacks, such as reflected cross-site scripting. 2\n\nWe identified FDA Web pages that did not perform adequate input validation on data entered by\nthe user. Exploitation of this vulnerability could result in malicious input being sent from an\nattacker to FDA Web pages to hijack a user\xe2\x80\x99s Web browser application, install malicious\nprograms, or redirect users to malicious Web pages.\n\nEXTERNAL SYSTEMS DID NOT ENFORCE ACCOUNT LOCKOUT\n\nFederal information systems are required to enforce a defined limit of consecutive invalid logon\nattempts by a user and automatically lock the account for a predetermined time period or until\nthe account is released by an administrator. 3\n\n\n\n1\n National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4, Security and\nPrivacy Controls for Federal Information Systems and Organizations, Control SI-10.\n2\n  Reflected cross-site scripting occurs when a dynamically generated Web page takes untrusted data and returns\nthem to be rendered within the victim\xe2\x80\x99s browser without proper validation and sanitization.\n3\n    NIST SP 800-53 Revision 4, Control AC-7.\n\n\nPenetration Test of the FDA\xe2\x80\x99s Computer Network (A-18-13-30331)                                                    2\n\x0cWe identified FDA external systems that did not enforce account lockout after repeated failed\nlog-in attempts. An attacker could repeatedly attempt, either manually or using automated\nmechanisms, to gain access to an external system by entering a correct login name and password.\nIf an attacker manages to authenticate to a system as an administrative user, he or she would gain\ncontrol of the system and its content.\n\nASSESSMENTS WERE NOT PERFORMED ON ALL EXTERNAL SERVERS\n\nThe HHS Office of the Chief Information Officer\xe2\x80\x99s Policy for Information Systems Security and\nPrivacy Handbook (PISSP Handbook) requires HHS\xe2\x80\x99s operating divisions to assess the security\ncontrols in information systems annually to determine the extent to which the controls are\nimplemented correctly, operating as intended, and meeting the security requirements for the\nsystem. Additionally, the PISSP Handbook requires that all Department systems, hosted\napplications, and networks undergo periodic vulnerability scanning no less than annually.\n\nAlthough we were allowed to test the majority of FDA\xe2\x80\x99s external Web applications, we did not\nperform penetration testing on seven external systems. FDA officials considered these systems\nto be mission critical and did not want to accept the risk of having them go offline. Hence, we\ncould not verify whether security vulnerabilities existed within these systems and whether the\nvulnerabilities could be exploited to gain unauthorized access to FDA systems and data.\n\nWe asked to review reports for any security testing performed by FDA or a third-party\norganization for the seven external systems we did not test; however, we determined\nthat FDA had performed a security assessment for only one of those seven systems. We\nreviewed the security assessment results, scope, and methodology for this system and determined\nthat because the system was tested within a preproduction environment only, the security\nassessor was not able to validate FDA\xe2\x80\x99s claims that controls within the preproduction\nenvironment mirrored the production environment. 4 Therefore, there is a risk that vulnerabilities\nmay exist within the production version of the system.\n\nERROR MESSAGES REVEALED SENSITIVE SYSTEM INFORMATION\n\nApplications frequently generate error messages and display them to users. Many times these\nerror messages are quite useful to attackers because the messages reveal application code or\ninformation that helps attackers exploit vulnerabilities. NIST requires Federal information\nsystems to generate error messages that provide information necessary for corrective action\nwithout revealing information that could be exploited by adversaries. 5\n\nWe identified FDA Web sites in which detailed error messages revealed sensitive system\ninformation. An attacker could use information obtained from detailed error messages, such as\n\n\n4\n A review of FDA\xe2\x80\x99s configuration management controls for development, test, and operational environments was\noutside the scope of this audit.\n5\n    NIST SP 800-53 Revision 4, Control SI-11.\n\n\n\nPenetration Test of the FDA\xe2\x80\x99s Computer Network (A-18-13-30331)                                                 3\n\x0csoftware version information, to launch specific attacks against FDA systems. Detailed error\nmessages can help attackers pinpoint vulnerabilities to focus their attacks.\n\nDEMONSTRATION PROGRAMS REVEALED SENSITIVE INFORMATION\n\nFederal information systems should be configured to provide essential capabilities and to\ndetermine what functions and services, some of which are provided by default, should be\ndisabled or even eliminated. 6 Oftentimes, software may leave demonstration programs or\nsample scripts available as part of a default installation.\n\nWe identified demonstration programs that could be run on FDA systems. The programs\nrevealed sensitive internal system environment settings. Disclosure of such information could\nhelp an attacker to launch specific attacks against the FDA systems.\n\n                                         RECOMMENDATIONS\n\nWe made seven recommendations to FDA to address the security vulnerabilities that we\nidentified. In general, we recommended that FDA fix the Web vulnerabilities identified,\nimplement more effective procedures to protect its computer systems from cyber attacks, and\nperiodically assess the security of all of its Internet-facing systems. This report summarizes our\nrecommendations because of the sensitive nature of the information. We provided more detailed\nrecommendations to FDA.\n\nAUDITEE COMMENTS AND OFFICE OF INSPECTOR GENERAL RESPONSE\n\nIn written comments to our draft report, FDA indicated that our findings have been addressed by\nthe system owner(s) and remediation actions have been appropriately applied. We have not\nverified these actions because they took place after our audit period.\n\nImplementation of our recommendations should further strengthen the information security of\nFDA\xe2\x80\x99s network and external Web applications. The timely implementation of our\nrecommendations is important, and we plan to follow up with FDA on these audit results and its\nremediation actions.\n\n\n\n\n6\n    NIST SP 800-53 Revision 4, Control CM-7.\n\n\n\nPenetration Test of the FDA\xe2\x80\x99s Computer Network (A-18-13-30331)                                   4\n\x0c                        APPENDIX: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe focused our audit on the FDA network and Web sites in operation during the period\nOctober 21, 2013, through November 10, 2013. We did not review FDA\xe2\x80\x99s overall internal\ncontrol structure.\n\nMETHODOLOGY\n\nWe prepared a Rules of Engagement document that outlined the general rules, logistics, and\nexpectations for the penetration test, and FDA and OIG management signed it. We performed\nthe following procedures:\n\n      \xe2\x80\xa2    conducted information-gathering techniques to discover the following for FDA:\n\n           o    network address ranges,\n\n           o    host names, 9\n\n           o    hosts exposed to the Internet,\n\n           o    applications running on exposed hosts,\n\n           o    operating system and application version information,\n\n           o    current patch levels of the hosts and applications residing on hosts,\n\n           o    structure of the applications and supporting servers, and\n\n           o    domain name server records;\n\n      \xe2\x80\xa2    conducted vulnerability analysis techniques to discover possible methods of attack;\n\n      \xe2\x80\xa2    attempted to exploit vulnerabilities identified in the vulnerability analysis to gain root- or\n           administrator-level access to the targeted systems or other trusted-user account access;\n\n      \xe2\x80\xa2    reviewed reports on security assessments performed by FDA or third-party organizations\n           of FDA Internet-facing systems that we were not authorized to assess during our\n           penetration test; and\n\n      \xe2\x80\xa2    discussed our findings with FDA management.\n\n\n\n\n9\n    A host is any device connected to a computer network.\n\n\nPenetration Test of the FDA\xe2\x80\x99s Computer Network (A-18-13-30331)                                          5\n\x0cWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\nPenetration Test of the FDA\xe2\x80\x99s Computer Network (A-18-13-30331)                                 6\n\x0c"